Skip to main content

Overview

The Health Insurance Portability and Accountability Act (HIPAA) establishes national standards for protecting sensitive patient health information. Qovery provides a HIPAA-eligible infrastructure platform for healthcare organizations and their business associates.
HIPAA Eligibility: Qovery provides HIPAA-eligible infrastructure. Customers deploying applications that handle Protected Health Information (PHI) must sign a Business Associate Agreement (BAA) and implement appropriate safeguards.

HIPAA Overview

HIPAA consists of several key rules:

Privacy Rule

Standards for protecting PHI privacy and patient rights

Security Rule

Administrative, physical, and technical safeguards for ePHI

Breach Notification Rule

Requirements for notifying affected parties of PHI breaches

Enforcement Rule

Procedures for investigations and penalties for non-compliance

Business Associate Agreement (BAA)

When You Need a BAA

A BAA is required when:
  • Your application processes, stores, or transmits PHI
  • You’re a covered entity or business associate under HIPAA
  • You need to demonstrate HIPAA compliance to clients/auditors

How to Obtain a BAA

1

Contact Sales

Reach out to sales@qovery.com or your account manager
2

Review Terms

Review the BAA terms and HIPAA-eligible service features
3

Sign Agreement

Execute the BAA with Qovery
4

Configure HIPAA Controls

Enable required security controls and logging
5

Document Compliance

Maintain documentation of your HIPAA compliance program
BAAs are available for customers on Business and Enterprise plans. Contact sales for pricing and availability.

HIPAA Security Rule Requirements

Administrative Safeguards

Qovery Features:
  • Risk assessment tools and monitoring
  • Security incident procedures
  • Audit controls and logging
  • Access review and management
Customer Responsibilities:
  • Conduct regular risk assessments
  • Implement security policies and procedures
  • Train workforce members
  • Manage access controls
Qovery Features:
  • Role-based access control (RBAC)
  • MFA enforcement
  • SSO/SAML integration
  • Access termination procedures
Best Practices:
  • Implement least privilege access
  • Regular access reviews
  • Offboarding procedures
  • Security awareness training
Qovery Features:
  • Granular permissions (organization, project, environment)
  • Service accounts with limited scopes
  • API token management
  • Audit logging of all access
Implementation:
  • Define roles and responsibilities
  • Document access policies
  • Regular permission audits
  • Immediate access revocation on termination
Customer Responsibilities:
  • HIPAA security training for all workforce
  • Documentation of training completion
  • Annual refresher training
  • Sanction policy for violations
Qovery Resources:
  • Security best practices documentation
  • Webinars and training materials
  • Customer success support

Physical Safeguards

  • Facility Access
  • Workstation Security
  • Device Controls
Cloud Provider Security:
  • SOC 2 certified data centers
  • Physical access controls
  • Video surveillance
  • 24/7 security monitoring
Qovery Deployment:
  • Deploy in HIPAA-eligible cloud regions
  • AWS, GCP, Azure all offer HIPAA-compliant regions
  • Dedicated VPC for isolation

Technical Safeguards

Qovery Implementation:
  • Unique user identification (required)
  • Emergency access procedures
  • Automatic logoff (session timeout)
  • Encryption and decryption
Features:
  • Individual user accounts (no shared credentials)
  • MFA enforced for all users
  • API tokens with expiration
  • Break-glass procedures for emergencies
Qovery Audit Logging:
  • Comprehensive audit trail of all actions
  • User authentication events
  • Resource access and modifications
  • API calls and deployments
Log Features:
  • Immutable logs (tamper-proof)
  • Long-term retention (1+ years)
  • Export to SIEM systems
  • Real-time monitoring and alerting
Logged Events:
  • User login/logout
  • PHI access attempts
  • Configuration changes
  • Deployment activities
  • Access grant/revoke
Data Integrity:
  • Version control for all configurations
  • GitOps workflow with change tracking
  • Immutable infrastructure
  • Cryptographic checksums
Validation:
  • Automated testing pipelines
  • Deployment verification
  • Database integrity checks
  • Backup validation
Encryption in Transit:
  • TLS 1.2+ for all connections
  • Certificate-based authentication
  • VPN support for internal traffic
  • mTLS between services (optional)
Network Security:
  • Private VPC networking
  • Network segmentation
  • Firewall rules
  • DDoS protection

ePHI Protection

Encryption

  • At Rest
  • In Transit
  • Backups
Database Encryption:
  • AES-256 encryption for all databases
  • Encrypted backups
  • Key management via cloud provider KMS
  • Customer-managed keys (CMEK) available
Storage Encryption:
  • EBS/Persistent Disk encryption
  • S3/GCS/Azure Blob encryption
  • Encrypted volumes for applications

Access Controls

Role-Based Access Control (RBAC):
  • Minimum necessary access
  • Role definitions per HIPAA requirements
  • Regular access reviews
  • Immediate termination of access
Authentication:
  • MFA required for all users
  • Strong password policies
  • SSO/SAML integration
  • API token with expiration

Breach Notification

Incident Response

1

Detection

  • Real-time monitoring and alerting
  • Anomaly detection
  • Security information and event management (SIEM)
2

Assessment

  • Determine if PHI was accessed/disclosed
  • Assess extent and nature of breach
  • Document findings
3

Containment

  • Isolate affected systems
  • Revoke compromised access
  • Apply security patches
4

Notification

  • Notify affected individuals (< 60 days)
  • Notify HHS if >500 individuals
  • Notify media if >500 individuals in same state
5

Remediation

  • Address root cause
  • Implement corrective actions
  • Update policies and procedures

Qovery’s Role

In Case of Qovery Breach:
  • Immediate notification to affected customers
  • Detailed incident report
  • Assistance with breach assessment
  • Cooperation with investigation
In Case of Customer Breach:
  • Provide audit logs and forensic data
  • Technical support for containment
  • Guidance on remediation

HIPAA-Eligible Services

Supported Services

Kubernetes

HIPAA-eligible when deployed in compliant regions with BAA

Databases

Managed databases (PostgreSQL, MySQL, MongoDB) with encryption

Object Storage

S3/GCS/Azure Blob with encryption for PHI storage

Load Balancers

TLS termination with certificate management

Required Configuration

For HIPAA eligibility, you must:
  • ✅ Sign a BAA with Qovery
  • ✅ Enable encryption at rest and in transit
  • ✅ Enable comprehensive audit logging
  • ✅ Implement MFA for all users
  • ✅ Deploy in HIPAA-eligible regions
  • ✅ Configure backup and disaster recovery
  • ✅ Implement network isolation

Customer Responsibilities

Shared Responsibility Model: While Qovery provides HIPAA-eligible infrastructure, customers are responsible for:
1

Application Security

  • Secure coding practices
  • Input validation and sanitization
  • Session management
  • Vulnerability scanning
2

Data Classification

  • Identify and classify PHI
  • Implement data flow mapping
  • Document where PHI is stored/transmitted
3

Policies and Procedures

  • Written HIPAA policies
  • Risk assessment procedures
  • Incident response plan
  • Disaster recovery plan
4

Training

  • HIPAA security training for workforce
  • Regular security awareness
  • Documentation of training
5

Access Management

  • User provisioning and deprovisioning
  • Access reviews
  • Minimum necessary access
6

Monitoring and Auditing

  • Regular log review
  • Security monitoring
  • Audit controls testing

HIPAA Regions

Deploy in HIPAA-eligible cloud regions:
  • AWS
  • GCP
  • Azure
All US regions are HIPAA-eligible when BAA is in place:
  • us-east-1 (Virginia)
  • us-east-2 (Ohio)
  • us-west-1 (California)
  • us-west-2 (Oregon)

Compliance Documentation

Qovery provides documentation to support HIPAA compliance:
  • BAA: Business Associate Agreement
  • Security Documentation: Technical and administrative safeguards
  • SOC 2 Report: Independent security audit
  • Audit Logs: Access logs and activity records
  • DPA: Data Processing Agreement
  • Incident Response: Procedures and historical data

Next Steps

Request BAA

Contact sales@qovery.com to request a Business Associate Agreement

Security Overview

Review Qovery’s security architecture and encryption

SOC 2 Compliance

Learn about Qovery’s SOC 2 Type II certification

Professional Services

Engage our team for HIPAA compliance consulting

Resources

Disclaimer: This documentation provides information about Qovery features that support HIPAA compliance. Customers are responsible for their own compliance with HIPAA and should consult with legal counsel and compliance experts.